Data deletion requests should not be automatically complied with by businesses, as other legislation often obliges them to retain information that overrides GDPR.
Stephen Watkins, an IT and InfoSec expert at a financial compliance consultancy, has emphasised that companies must assess whether an individual’s desire to ‘be forgotten’ conflicts with legal obligations, particularly regarding potential fraudulent activity and human resources. He questioned, “When does empowering individuals to be ‘masters of their own personal data destiny’ encroach on a payment service provider’s legal responsibility to prevent fraud, safeguard its venture, and limit criminal activity?”
Watkins described a scenario where a fraudster, declined during the identification and verification procedure while applying for a payment account, could exploit GDPR by requesting their application record to be deleted. This enables them to reapply with altered details to secure success. He stated, ‘It is reasonable for you to not only maintain a database of declined applications but to decline a deletion request.’ Retaining the minimum necessary information is essential, and declined applications can be legally kept for five years.
In situations involving money laundering, businesses face challenges under the Money Laundering Regulations 2017. If a client has laundered money and then closed their account, requesting the deletion of their records, the regulations stipulate that customer records must be held for a minimum of five years, with transactional data held for no more than ten years. Watkins stated, ‘When responding, you should explain why you are unable to meet this request.’
Human resources also present potential risks. Following a successful recruitment drive, an unsuccessful applicant might request the deletion of their records under GDPR. Watkins posed the question, ‘Should you comply if a troublemaker intends to complain against unfair recruitment practice after their record is deleted?’ He suggested that industry best practice is to retain unsuccessful applicants’ relevant data for the required timescale, even when asked.
Employees leaving organisations may also request their staff records to be erased. Watkins highlighted that if a complaint has been made against an employee, they might hope that erasing their data would prevent a new employer from being aware of their history. He advised that only personal data without a legitimate reason to be retained should be deleted. Employee records must be retained for six years to provide evidence against legal claims such as constructive or unfair dismissal, which can be made for up to six years after the end of the contract under the Statute of Limitations Act 1980.
The complexities surrounding data deletion requests necessitate cautious and legally compliant approaches by businesses to balance GDPR with other legislative requirements.